Sunday, July 17, 2022

Extreme Switch - How to verify SSH algorithms in EXOS?


There are two ways to identify SSH ciphers used in EXOS.

Option 1. Using Nmap without ssh into the switch

Use the following command with Nmap in Linux, macOS, or Zenmap in Windows.
nmap -sV -p 22 --script ssh2-enum-algos 192.168.1.2

macOS:/Users/analysisman% nmap -sV -p 22 --script ssh2-enum-algos 192.168.1.2
Password:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-04 23:16 PST
Nmap scan report for 192.168.1.2
Host is up (0.0028s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.1 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (4)
|       diffie-hellman-group14-sha1
|       diffie-hellman-group14-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|   server_host_key_algorithms: (1)
|       ssh-rsa
|   encryption_algorithms: (4)
|       [email protected]
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|   mac_algorithms: (6)
|       [email protected]
|       [email protected]
|       [email protected]
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (2)
|       none
|_      [email protected]
MAC Address: 00:04:96:9B:55:AD (Extreme Networks)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (96%), Linux 3.11 (96%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 
Network Camera (Linux 2.6.17) (94%), Linux 3.10 (94%), Linux 2.6.18 (93%), Linux 3.16 (93%), Linux 3.18 (93%), Linux 2.6.32 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.11 seconds

Option 2. CLI command in EXOS

The “show ssh2” command will show key type, ciphers, public key algorithms, etc.
show ssh2

X440G2-12p-10G4.2 # sho ssh2
SSH module configuration details:
SSH Access            : Enabled
Key validity          : Valid
Key type              : RSA 2048
TCP port              : 22
VR                    : all
Access profile        : not set
Secure Mode           : Off
Diffie-Hellman Groups : 14 (2048 bits), 16 (4096 bits), 18 (8192 bits)
Max Auth Tries        : 3
Idle time             : 60 minutes
Rekey Interval        : 4096 MB and no time limit
Ciphers               : [email protected], aes128-ctr, aes192-ctr, aes256-ctr
Macs                  : [email protected], [email protected], 
[email protected], hmac-sha2-256, hmac-sha2-512, hmac-sha1
Public key algorithms : ssh-rsa, x509v3-sign-rsa, x509v3-sign-dss
Login grace timeout   : 120 seconds


To enable or disable Cipher, use the following command.

# configure ssh2 enable cipher {all/<cipher>}

NOTE: You must have version 16.2.5.4-patch1-31 or later (the previous version will not allow this command).


Links

[[_Index_of_EXOS]]
Extreme Switch - How to enable SSH in EXOS


No comments:

Post a Comment